Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/openpgp: Creating a signing subkey with an EmbeddedSignature doesn't seem possible #23231

Closed
paultag opened this issue Dec 23, 2017 · 4 comments
Closed

x/crypto/openpgp: Creating a signing subkey with an EmbeddedSignature doesn't seem possible #23231

paultag opened this issue Dec 23, 2017 · 4 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@paultag
Copy link

paultag commented Dec 23, 2017

Please answer these questions before submitting your issue. Thanks!

What version of Go are you using (go version)?

go version go1.9.2 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/paultag/go"
GORACE=""
GOROOT="/usr/lib/go-1.9"
GOTOOLDIR="/usr/lib/go-1.9/pkg/tool/linux_amd64"
GCCGO="/usr/bin/gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build824936553=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

When creating a signing subkey in Go, I created an EmbeddedSignature, but when I Serialize, it goes missing.

This strikes me as weird, since Serialize will output the Signature when it parses one coming in. This makes me think that it's dumping some sort of raw internal slice containing the packets it saw coming in.

Is it possible to create a signing subkey in go? I don't see anyone using this field outside of validation.

What did you expect to see?

A Signature subpacket in my signature

What did you see instead?

No cross signature.
@gopherbot gopherbot added this to the Unreleased milestone Dec 23, 2017
@paultag paultag changed the title x/crypto/openpgp x/crypto/openpgp: Creating a signing subkey with an EmbeddedSignature doesn't seem possible Dec 23, 2017
@paultag
Copy link
Author

paultag commented Dec 23, 2017

(Sorry for not finishing the title; updated)

@paultag
Copy link
Author

paultag commented Dec 28, 2017

cc @kbsriram @agl - if either of you can do a quick triage on if it's user error (in which case, I'll open a PR with docs) or if this is a legit issue.

I tried taking a whack at fixing it, but the signature serialization is a bit .... tightly coupled with writing out a signature packet. It didn't seem clear on the right way to refactor it, so I'm going to have to give up on fixing it.

@syadav2015
Copy link

@paultag @agl Seems like EmbeddedSignatures (0x19: Primary Key Binding Signature from RFC4880 Section 5.2.1) are not currently supported. Taking a look at the code in addSubKey() in openpgp/keys.go:

if sig.SigType != packet.SigTypeSubkeyBinding && sig.SigType != packet.SigTypeSubkeyRevocation {
	return errors.StructuralError("subkey signature with wrong type")
}

Seems like only SigTypeSubkeyBinding (0x18) is supported. I am planning to take a shot at implementing this. Any poc code or notes/docs you could share regarding this would help me get a jumpstart on this issue.

@syadav2015 syadav2015 mentioned this issue Dec 17, 2018
Closed
@FiloSottile
Copy link
Contributor

Per the accepted #44226 proposal and due to lack of maintenance, the golang.org/x/crypto/openpgp package is now frozen and deprecated. No new changes will be accepted except for security fixes. The package will not be removed.

If this is a security issue, please email security@golang.org and we will assess it and provide a fix.

If you're looking for alternatives, consider the crypto/ed25519 package for simple signatures, golang.org/x/mod/sumdb/note for inline signatures, or filippo.io/age for encryption. You can read a summary of OpenPGP issues and alternatives here.

If you are required to interoperate with OpenPGP systems and need a maintained package, we suggest considering one of multiple community forks of golang.org/x/crypto/openpgp. We don't endorse any specific one.

@golang golang locked and limited conversation to collaborators Mar 29, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
4 participants
@paultag @FiloSottile @gopherbot @syadav2015